Survey and Analysis on ATT&CK Mapping Function of Online Sandbox for Understanding and Efficient Using

Shota Fujii, Rei Yamagishi, Toshihiro Yamauchi

Research output: Contribution to journalArticlepeer-review


Dynamic analysis that automatically analyzes malware has become the defacto standard for coping with the huge amount of current malware types. One analysis support is a function that maps the malware behavior to each ele-ment of the MITRE ATT&CKR○ Technique. This function has been adopted in many online sandboxes and contributes to the efficiency of analysis. On the other hand, this function depends on the implementation of the mapping rules, which may affect the analysis results. Therefore, we investigated the actual situation of online sandboxes that have a function for mapping to the attack technique. In this study, we analyzed a total of 26,078 malware analysis results from three online sandboxes, found that the characteristics for matching to each technique differed among the sandboxes, and clarified the ease of matching each technique. We also compared the mapping characteristics of techniques with those of static analysis-based techniques and manually written reports and showed that the mapping characteristics differed among the techniques. Furthermore, we derived best practices for utilization on the basis of each survey. We believe that these results will lead to a better understanding of online sandboxes and to more efficient malware analysis using online sandboxes.

Original languageEnglish
Pages (from-to)807-821
Number of pages15
JournalJournal of Information Processing
Publication statusPublished - 2022


  • malware
  • online sandbox

ASJC Scopus subject areas

  • Computer Science(all)


Dive into the research topics of 'Survey and Analysis on ATT&CK Mapping Function of Online Sandbox for Understanding and Efficient Using'. Together they form a unique fingerprint.

Cite this